Bug 143261

Summary: REGRESSION(r181993): [EFL] Performance test Speedometer/Full.html crashes
Product: WebKit Reporter: Carlos Alberto Lopez Perez <clopez>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: cgarcia, chavarria1991, fpizlo, ggaren, gyuyoung.kim, mcatanzaro, ossy, svillar, tonikitoo, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 141174    
Attachments:
Description Flags
GDB Backtrace for the GTK port when running the perft test Speedometer/Full.html (release built on r182181)
none
GDB Backtrace for the GTK port when running the perft test Speedometer/Full.html (debug built on r182181) none

Description Carlos Alberto Lopez Perez 2015-03-31 05:33:08 PDT 
Created attachment 249821 [details]
GDB Backtrace for the GTK port when running the perft test Speedometer/Full.html (release built on r182181)

Since r181993 <http://trac.webkit.org/r181993> on platform GTK the performance test Speedometer/Full.html is flaky.
I double-checked this:

 * On r181992 the test works without problems.
 * On r181993 the test is flaky and crashes.


I tried to reproduce the crash with the GTK Debug build (in order to get a more meaningful trace), but I wasn't able to make it crash with the Debug build.
So perhaps this is caused by some race condition. I'm attaching the GDB backtrace (for release build). The relevant part is:

Core was generated by `/home/clopez/webkit/webkit/WebKitBuild/Release/bin/WebKitWebProcess 16'.
Program terminated with signal SIGSEGV, Segmentation fault.

Thread 1 (Thread 0x7f510947ea40 (LWP 29315)):
#0  0x00007f511a644e08 in JSC::CodeBlockSet::clearMarksForEdenCollection(WTF::Vector<JSC::JSCell const*, 0ul, WTF::CrashOnOverflow> const&) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#1  0x00007f511a64c14f in JSC::Heap::markRoots(double, void*, void*, __jmp_buf_tag (&) [1]) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#2  0x00007f511a64e2a5 in JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, __jmp_buf_tag (&) [1]) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#3  0x00007f511a64e06a in JSC::Heap::collect(JSC::HeapOperation) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#4  0x00007f511a659114 in JSC::MarkedAllocator::allocateSlowCase(unsigned long) () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#5  0x00007f511a6cf5cb in operationNewObject () from /home/clopez/webkit/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
Comment 1 Carlos Alberto Lopez Perez 2015-03-31 07:16:51 PDT 
Created attachment 249822 [details]
GDB Backtrace for the GTK port when running the perft test Speedometer/Full.html (debug built on r182181)

Finally I was able to get the test crash with the Debug build. However, the trace I got seems different than the one from the release build. So maybe we are hitting here another bug.

In any case, I'm attaching here the GDB backtrace. The relevant part is:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321	    *(int *)(uintptr_t)0xbbadbeef = 0;
#1  0x00007f10346f57e4 in JSC::Heap::writeBarrier (this=0x7f101a0306d8, from=0x7f101a1c4c70) at ../../Source/JavaScriptCore/heap/HeapInlines.h:150
#2  0x00007f102fdfa135 in JSC::ScriptExecutable::installCode (this=0x7f101a1c4c70, genericCodeBlock=0x7f0f854b7720) at ../../Source/JavaScriptCore/runtime/Executable.cpp:199
#3  0x00007f102f75fc45 in JSC::CodeBlock::install (this=0x7f0f854b7720) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2989
#4  0x00007f102f75e44f in JSC::CodeBlock::jettison (this=0x7f0f85338720, reason=JSC::Profiler::JettisonDueToUnprofiledWatchpoint, mode=JSC::CountReoptimization, detail=0x7fff8bdd4ec8) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3086

The following output was also printed on the screen:

$ Tools/Scripts/run-perf-tests --no-show-results --platform gtk --debug Speedometer/Full.html
****************************************************
* WARNING: run-perf-tests is running in DEBUG mode *
****************************************************
Running 1 tests
Running Speedometer/Full.html (1 of 1)
error: Speedometer/Full.html
ASSERTION FAILED: isMarked(from)
../../Source/JavaScriptCore/heap/HeapInlines.h(150) : void JSC::Heap::writeBarrier(const JSC::JSCell *)
1   0x7f102fffe330 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x20) [0x7f102fffe330]
2   0x7f10346f57e4 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3JSC4Heap12writeBarrierEPKNS_6JSCellE+0x164) [0x7f10346f57e4]
3   0x7f102fdfa135 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC16ScriptExecutable11installCodeEPNS_9CodeBlockE+0x735) [0x7f102fdfa135]
4   0x7f102f75fc45 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock7installEv+0x25) [0x7f102f75fc45]
5   0x7f102f75e44f /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock8jettisonENS_8Profiler14JettisonReasonENS_18ReoptimizationModeEPKNS_10FireDetailE+0x45f) [0x7f102f75e44f]
6   0x7f102f7903c2 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC30CodeBlockJettisoningWatchpoint12fireInternalERKNS_10FireDetailE+0x82) [0x7f102f7903c2]
7   0x7f102f7c7f4f /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC10Watchpoint4fireERKNS_10FireDetailE+0x2f) [0x7f102f7c7f4f]
8   0x7f102f7c7917 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet18fireAllWatchpointsERKNS_10FireDetailE+0x57) [0x7f102f7c7917]
9   0x7f102f7c78a6 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet11fireAllSlowERKNS_10FireDetailE+0x66) [0x7f102f7c78a6]
10  0x7f102f78bf35 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet7fireAllERKNS_10FireDetailE+0x55) [0x7f102f78bf35]
11  0x7f102f78bec8 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC13WatchpointSet10invalidateERKNS_10FireDetailE+0x38) [0x7f102f78bec8]
12  0x7f102f76a1ff /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC21VariableWatchpointSet10invalidateERKNS_10FireDetailE+0x3f) [0x7f102f76a1ff]
13  0x7f102ff45b17 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC21VariableWatchpointSet23finalizeUnconditionallyERKNS_10FireDetailE+0x107) [0x7f102ff45b17]
14  0x7f102ff438fd /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC11SymbolTable17WatchpointCleanup23finalizeUnconditionallyEv+0xfd) [0x7f102ff438fd]
15  0x7f102fb7085d /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC11SlotVisitor31finalizeUnconditionalFinalizersEv+0x5d) [0x7f102fb7085d]
16  0x7f102fb4564b /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap31finalizeUnconditionalFinalizersEv+0x2b) [0x7f102fb4564b]
17  0x7f102fb47b73 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap11collectImplENS_13HeapOperationEPvS2_RA1_13__jmp_buf_tag+0x433) [0x7f102fb47b73]
18  0x7f102fb47721 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap7collectENS_13HeapOperationE+0x81) [0x7f102fb47721]
19  0x7f102fb47624 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC4Heap17collectAllGarbageEv+0x34) [0x7f102fb47624]
20  0x7f1034bd0e2b /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x4031e2b) [0x7f1034bd0e2b]
21  0x7f1034bd0d7e /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore12GCController12gcTimerFiredEv+0x1e) [0x7f1034bd0d7e]
22  0x7f1034bd1722 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEclIJEvEEvPS1_DpOT_+0x72) [0x7f1034bd1722]
23  0x7f1034bd16a3 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt5_BindIFSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEPS2_EE6__callIvJEJLm0EEEET_OSt5tupleIJDpT0_EESt12_Index_tupleIJXspT1_EEE+0x43) [0x7f1034bd16a3]
24  0x7f1034bd1656 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt5_BindIFSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEPS2_EEclIJEvEET0_DpOT_+0x26) [0x7f1034bd1656]
25  0x7f1034bd141d /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt17_Function_handlerIFvvESt5_BindIFSt7_Mem_fnIMN7WebCore12GCControllerEFvvEEPS4_EEE9_M_invokeERKSt9_Any_data+0x1d) [0x7f1034bd141d]
26  0x7f10343a8eee /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x3e) [0x7f10343a8eee]
27  0x7f10343a8e7c /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore5Timer5firedEv+0x1c) [0x7f10343a8e7c]
28  0x7f1035872b5c /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore12ThreadTimers24sharedTimerFiredInternalEv+0x18c) [0x7f1035872b5c]
29  0x7f1035872889 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore12ThreadTimers16sharedTimerFiredEv+0x19) [0x7f1035872889]
30  0x7f1035044807 /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNSt17_Function_handlerIFvvEPS0_E9_M_invokeERKSt9_Any_data+0x17) [0x7f1035044807]
31  0x7f10343a8eee /home/clopez/webkit/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x3e) [0x7f10343a8eee]

FAILED
Finished: 309.366842 s
Comment 2 Sergio Villar Senin 2015-11-09 07:18:46 PST 
fpizlo@, ggaren@ any idea about what's going on here? Our perf bot is red and reporting crashes for that test since the revision mentioned by Carlos.
Comment 3 Carlos Garcia Campos 2015-11-18 03:23:43 PST 
It seems that after enabling FTL it crashes more constantly. The bt is different, though, and it doesn't seem to the main thread the one crashing:

[Switching to Thread 0x7fed9effd700 (LWP 26509)]
0x00007fee01d72022 in JSC::SlotVisitor::drain() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
(gdb) bt
#0  0x00007fee01d72022 in JSC::SlotVisitor::drain() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#1  0x00007fee01d722d7 in JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode) ()
   from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#2  0x00007fee01d4c8d0 in WTF::SharedTaskFunctor<void (), JSC::Heap::markRoots(double, void*, void*, __jmp_buf_tag (&) [1])::{lambda()#1}>::run() ()
   from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#3  0x00007fee021f760b in WTF::ParallelHelperClient::runTask(WTF::RefPtr<WTF::SharedTask<void ()> >) ()
   from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#4  0x00007fee021f83bc in WTF::ParallelHelperPool::helperThreadBody() () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#5  0x00007fee021fbe55 in WTF::threadEntryPoint(void*) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#6  0x00007fee02227b7a in WTF::wtfThreadEntryPoint(void*) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
#7  0x00007fee010490a4 in start_thread (arg=0x7fed9effd700) at pthread_create.c:309
#8  0x00007fedf8ce506d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Comment 4 Carlos Garcia Campos 2015-11-18 06:48:43 PST 
I've been looking at this, and without knowing JavaScriptCore what I've noticed is that Heap::addToRememberedSet() is receiving a JSCell that is not marked and is added to the SlotVisitor m_stack that expects contents to be marked. I have no idea why, since I'm not familiar with JSC.
Comment 5 Carlos Garcia Campos 2015-11-22 00:20:47 PST 
I'm seeing this crash in EFL perf bot too:

Running Speedometer/Full.html (150 of 150)
error: Speedometer/Full.html
1   0x7f1a05f74238
2   0x7f1a0617deb0
3   0x7f1a05db48ec JSC::JSPropertyNameEnumerator::visitChildren(JSC::JSCell*, JSC::SlotVisitor&)
4   0x7f1a05adecbf JSC::SlotVisitor::drain()
5   0x7f1a05ad0702 JSC::Heap::markRoots(double, void*, void*, __jmp_buf_tag (&) [1])
6   0x7f1a05ad3ff6 JSC::Heap::collectImpl(JSC::HeapOperation, void*, void*, __jmp_buf_tag (&) [1])
7   0x7f1a05ad42b8 JSC::Heap::collect(JSC::HeapOperation)
8   0x7f1a05ac5796 JSC::CopiedSpace::tryAllocateSlowCase(unsigned long, void**)
9   0x7f1a05db4a21 JSC::JSPropertyNameEnumerator::finishCreation(JSC::VM&, unsigned int, unsigned int, WTF::PassRefPtr<JSC::PropertyNameArrayData>)
10  0x7f1a05db4e2b JSC::JSPropertyNameEnumerator::create(JSC::VM&, JSC::Structure*, unsigned int, unsigned int, JSC::PropertyNameArray&)
11  0x7f1a05b79526 JSC::propertyNameEnumerator(JSC::ExecState*, JSC::JSObject*)
12  0x7f19a80e81ec

FAILED
Finished: 100.308614 s

It doesn't seem to happen that often for EFL, though.
Comment 6 Carlos Garcia Campos 2015-11-27 03:30:23 PST 
After r192775 I can't reproduce the crash locally anymore and the GTK perf bot is green, so maybe the WebCore GC timer was causing this somehow.
Comment 7 Carlos Alberto Lopez Perez 2015-11-30 09:41:02 PST 
(In reply to comment #6)
> After r192775 I can't reproduce the crash locally anymore and the GTK perf
> bot is green, so maybe the WebCore GC timer was causing this somehow.

Seems is still happening, not as frequently as before, but it still fails sometimes:

https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Release%20%28Perf%29?numbuilds=200

Perhaps there are more than an issue causing this test to fail.
Comment 8 Carlos Garcia Campos 2016-02-09 03:22:47 PST 
This never failed again after r195537 for GTK+. I'm leaving this open because I don't know if it's still an issue for EFL.
Comment 9 Michael Catanzaro 2017-03-11 10:40:53 PST 
Closing this bug because the EFL port has been removed from trunk.

If you feel this bug applies to a different upstream WebKit port and was closed in error, please either update the title and reopen the bug, or leave a comment to request this.